To open a TDE-enabled database, OpenEdge must be able to open the keystore. To successfully open the keystore, you must provide the correct keystore passphrase and, if the database is configured for secondary authentication using an HSM, the correct keystore PIN.

For details about setting up HSM authentication, see Add HSM as a second layer of TDE authentication.

If OpenEdge cannot open the keystore, then opening the database fails. You have two configuration choices for how the keystore passphrase and PIN are supplied:

  • Manual mode — Manual mode requires that you supply (type in) a keystore account passphrase (and PIN, if required) any time your database is opened.
  • Autostart mode — Autostart delivers a passphrase (and PIN) you configure to open the keystore automatically.

Manual mode is more secure, but impacts automated database administration (scripts), and requires manual intervention for every database access or invocation of an executable. Autostart mode does not impact scripts, but potentially gives unfettered access to encrypted data.